The Arch Linux team has once again been forced to respond to a distributed denial-of-service attack targeting its AUR repository infrastructure. As a result, DDoS protection has been enabled for aur.archlinux.org to help mitigate the ongoing disruption.
While this measure helps keep the AUR website accessible, it has introduced a significant side effect: pushing to the AUR is currently not possible.
Okay that’s what was happening… yay
yay and paru both
I installed arch to a VM yesterday for some stuff and for the life of me I couldn’t figure out why I couldn’t get Paru or Yay going and well…there ya have it. spent like an hour trying to figure out why they both weren’t working.
It’s a good habit when if you’re hitting something weird and it just doesn’t work to check a status page. It’s saved me so much time over the years. Here it is for Arch AUR
But… why? I mean, who’s targeting Arch? Sounds like the Arch team has some info that they won’t release (for now), but this is so confusing to me…
Nobody has been claiming responsibility. Some of the AUR forum peoples think it’s butthurt malware devs who got caught uploading malware, but it’s just a shot in the dark.
Been on and off for months now.
If it’s blocking AUR updates, it could be an attempt to keep some patches to certain exploits from going out? But it seems unlikely that the cost of a ddos is worth the tiny number of possibly vulnerable AUR users out there…
If people just used Hannah Montana Linux then we wouldn’t have these problems.
I wonder if it could be a state actor? I can imagine that the powers that be in MANY countries could be motivated to keep users away from operating system software that isn’t spyware.
Then why go against the AUR and not the official mirrors? The former isn’t always exactly the epitome of securely packaged trusted applications
Just spitballing, because honestly the amount of effort that must go into sustaining this attack in the long term just baffles me. Like, why?
It costs, like $10 to rent a botnet for a couple-hour attack.
Services I know that have both HTTPS and SSH access have seen all sorts of weird stuff seemingly related to LLM bot scraping over the past few months. Enough to bring down some git servers.
Is there anything we can do? Like, pardon my lack of knowledge on the subject, but could I host like a mirror and therefore expand the servers… width (would that be the right word)? That way the bots have to hit even more end points?
You could donate to the project but I don’t think a mirror would help.
Mirrors still see a specific instance as the truth and sync to that. A mirror would make it possible for someone to download an update from you while the truth instance is down (or always from you if you’re closer and faster) but without that first truth instance there’ll be no new updates. There won’t be syncing across mirrors. And it wouldn’t really impact any DDOS because it’s still that first instance being targeted.
DDOS mitigation can take one of two main ways. Add enough server power to overcome the DDOS, this is insanely expensive and out of each for most all but like Amazon and Meta. The second is to cut off whatever is doing the DDOS, either by disabling the specifically protocol or endpoint being used or not allowing certain IPs to connect. These are probably what they are doing already and there’s not much you can do as an outsider to help with this either sadly.
I already donate but I’ll review my contribution and see if I can throw a few more euros their way.
Thanks for the explanation on truth in terms of mirrors, that helps me understand. I was offering server power but that might not be feasible or meaningful. And based on what you’ve said, it seems like the Disable focused warfare is the best approach.
